RE: Freeradius - LDAP Authenication
Kris and List Still having no luck getting rlm_ldap to work. I used a packet sniffer to check traffic and all I see is a SYN packet to the ldap and the a SYN back to the radius followed by a RST packet from the radius server to the ldap. Cannot decipher any user details in the first packet so I assume none are being sent. I searched the archives for this and came across a patch for ver 0.6, can I assume that this was rolled into subsequent versions? Not sure on how to proceed any other pointers any one? Thanks Simon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kris Benson Sent: Wednesday, August 10, 2005 2:20 PM To: FreeRadius users mailing list Cc: 'FreeRadius users mailing list' Subject: Re: Freeradius - LDAP Authenication FreeRadius users mailing list on August 10, 2005 at 11:17 -0800 wrote: > >>I think I'm at the end of my abilities here, but will make a couple more >>comments. > >>First off, I'm nowhere near being an LDAP pro, but what's up with the >>"o=mayrmount.edu.o=marymount.edu" ? There are two things that stick out >>to me here -- first off, the '.' between the elements... I'm used to >>seeing a comma. Second, the duplication of the o=. Do you *really* have >>a child element named the same as its parent? > >We do indeed have a child with the same name as the parent and they both >have "." in them. Fun Hey > For sure one other idea, then... If your structure is this: o=marymount.edu. | -> o=marymount.edu. should this maybe be "o=marymount.edu.,o=marymount.edu." ? (note trailing periods, making an FQDN) Or perhaps if your structure is this: o=marymount.edu | -> o=marymount.edu should this maybe be "o=marymount.edu,o=marymount.edu" ? Just a thought... your original looks like a typo, based on the fact that the two fields are not being joined by a comma. HTH, -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius - LDAP Authenication
Hi Kris, Thanks for your input. >I think I'm at the end of my abilities here, but will make a couple more >comments. >First off, I'm nowhere near being an LDAP pro, but what's up with the >"o=mayrmount.edu.o=marymount.edu" ? There are two things that stick out >to me here -- first off, the '.' between the elements... I'm used to >seeing a comma. Second, the duplication of the o=. Do you *really* have >a child element named the same as its parent? We do indeed have a child with the same name as the parent and they both have "." in them. Fun Hey >I'm sorry I can't be of more assistance... but if ldapsearch works with >the same binding credentials as FreeRadius (n.b. bind as the *user* >"sbarnes" *not* as admin), then the issue looks to be something with the >way FreeRadius & the Sun software interact. I'll try and investigate to see if there are differences between the Sun and openldap and how they interact with freeradius.. Any one else out there with SUN directory server / iplanet? >Is there, by chance, a policy restricting number of connections per minute >on the Sun server? FreeRadius likes to connect at least twice in the >authentication process -- once to search the directory, again to bind as >the user it found. As far as I know no policy restricting access request per minute, but I will check. Simon Barnes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius - LDAP Authenication
Kris, Thanks for the configs, however I still cannot get this to work, I'm still seeing:- Aug 10 07:06:21 2005 : Debug: rlm_ldap: bind as uid=sbarnes,ou=people,o=marymount.edu.o=marymount.edu/cortina to info.marymount.edu:389 Wed Aug 10 07:06:21 2005 : Error: rlm_ldap: uid=sbarnes,ou=people,o=marymount.edu.o=marymount.edu bind to info.marymount.edu:389 failed: Can't contact LDAP server Even tried authentication to the backup LDAP server. Is there anyway to test the ldap module by hand as it were? Also I was wondering if this was an attribute mapping problem, anyone with SUN One IPlanet Directory server got this to work? Thanks Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius - LDAP Authenication
>Well, having just looked at your config again, I'm wondering if it isn't >this filter: > ldap: filter = "(&(objectClass=aRadiusAccount)(uid=%u))" > >is that 'a' supposed to be there? > >Also, have you custom defined the LDAP schmea for this objectclass? If >not, I don't believe the 'aRadiusAccount' is valid, at least not in the >standard OpenLDAP w/FreeRadius extensions schema that I have. > >What if you start by removing that part of the filter and just searching >for the uid? Hi Kris, I have tried changing the LDAP filter by removing the "a" and also tried a plain filter just for uid, still getting the same error. In addition I also tried a different ldap account which tests successfully using LDAP search. I am now at a loss, if anyone has a working config that they wouldn't mind sharing that would be much appreciated. Thanks Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius - LDAP Authenication
>What if you change the "identity" portion of the radiusd.conf to be the >full DN of the admin user? I have a sneaking suspicion that the "can't >connect" may also include "can't authenticate"... > >So, assuming that the "directory manager" user is in the people ou, try >this for the identity: >"cn=directory manager,ou=people,o-marymount.edu,o=marymount.edu" > Kris, I have tried various accounts my own and test accounts along with variations of the DN and I get the same errors. I'm at a loss as ldapsearch and telneting to the port all seem to work. Simon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius - LDAP Authenication
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dusty Doris Sent: Friday, August 05, 2005 11:57 AM To: FreeRadius users mailing list Subject: Re: Freeradius - LDAP Authenication >This is pretty clear that it cannot connect. What does your ldapsearch >command look like? Perhaps, you have the wrong port or ip in your config? >What does telnet 198.100.0.18 389 show you? Hi Dusty and Kris, The ip address I am using for the ldap is correct, when using ldapsearch ldapsearch -h 198.100.0.18 -b ou=people,o=marymount.edu,o=marymount.edu -D "cn=directory manager" -W I can connect and get prompted for the password, after which I get a complete dump of the LDAP. I did a tcpdump on the freeradius machine and this is the output tcpdump: listening on dc0 11:32:59.115890 morris.marymount.edu.34613 > cooper.marymount.edu.ldap: S 3685972564:3685972564(0) win 16384 (DF) 11:32:59.116137 cooper.marymount.edu.ldap > morris.marymount.edu.34613: S 3939941434:3939941434(0) ack 3685972565 win 49232 (DF) 11:32:59.116222 morris.marymount.edu.34613 > cooper.marymount.edu.ldap: . ack 1 win 16384 (DF) 11:32:59.116312 morris.marymount.edu.34613 > cooper.marymount.edu.ldap: F 1:1(0) ack 1 win 16384 (DF) 11:32:59.116427 cooper.marymount.edu.ldap > morris.marymount.edu.34613: . ack 2 win 49232 (DF) 11:32:59.117917 cooper.marymount.edu.ldap > morris.marymount.edu.34613: F 1:1(0) ack 2 win 49232 (DF) 11:32:59.117987 morris.marymount.edu.34613 > cooper.marymount.edu.ldap: . ack 2 win 16383 (DF) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
